b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      The Internal Revenue Service Should\n                        Improve Server Software Asset\n                        Management and Reduce Costs\n\n\n\n                                     September 25, 2014\n\n                             Reference Number: 2014-20-042\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n and information determined to be restricted from public release has been redacted from this document.\n\n\n\nPhone Number / 202-622-6500\nE-mail Address / TIGTACommunications@tigta.treas.gov\nWebsite        / http://www.treasury.gov/tigta\n\x0c                                                  HIGHLIGHTS\n\n\nTHE INTERNAL REVENUE SERVICE                         any specialized software license management\nSHOULD IMPROVE SERVER SOFTWARE                       tools for developing and maintaining such an\nASSET MANAGEMENT AND REDUCE                          enterprise-wide inventory. TIGTA estimates that\nCOSTS                                                the amount wasted because of the inadequate\n                                                     management of server software licenses is in\n                                                     the range of $81 million to $114 million based on\nHighlights                                           amounts spent for licenses and annual license\n                                                     maintenance that were not being used at the\n                                                     time of a compliance review. This range could\nFinal Report issued on                               be lower or higher depending on the extent that\nSeptember 25, 2014                                   the IRS had used the licenses prior to the\n                                                     compliance review. However, the IRS does not\nHighlights of Reference Number: 2014-20-042          know if the software licenses were ever used. In\nto the Internal Revenue Service Chief                addition, for some software, more licenses were\nTechnology Officer.                                  deployed than purchased. TIGTA estimates the\nIMPACT ON TAXPAYERS                                  value of these overdeployed licenses to be in\n                                                     the range of $24 million to $29 million.\nComputer software is typically protected by\nFederal copyright law, which requires users of       WHAT TIGTA RECOMMENDED\nsoftware programs to purchase licenses               To improve the management of server software\nauthorizing such use. Software licenses are          licenses based on Federal requirements and\nlegal rights to use software in accordance with      recommended industry best practices, TIGTA\nterms and conditions specified by the software       recommended that the Chief Technology Officer\ncopyright owner. Efficient and cost-effective        incorporate server software license\nmanagement of the IRS\xe2\x80\x99s software assets is           management in the enterprise-wide software\ncrucial to ensure that information technology        management program currently under\nservices continue to support the IRS\xe2\x80\x99s business      development.\noperations and help it to provide services to\ntaxpayers efficiently.                               In their response to the report, IRS management\n                                                     agreed with the recommendation, and server\nWHY TIGTA DID THE AUDIT                              software is already being considered as a\nThe overall objective was to determine whether       component of the enterprise-wide software\nthe IRS is adequately managing server software       management program under development. An\nlicenses. The audit is included in our Fiscal        Enterprise Software Governance Board has\nYear 2014 Annual Audit Plan and addresses the        been established along with a working group.\nmajor management challenge of Achieving              This effort includes the development of a\nProgram Efficiencies and Cost Savings.               standardized process for ensuring consistency\n                                                     in asset management across the enterprise.\nWHAT TIGTA FOUND                                     The IRS is also working to complete other\n                                                     software management actions, including\nThe IRS does not effectively manage server           developing an enterprise-wide repeatable\nsoftware licenses and is not adhering to Federal     method to manage and track the deployment of\nrequirements and industry best practices. The        licenses that can be uniformly used by all\nIRS does not have enterprise-wide or local           organizational entities responsible for managing\npolicies, procedures, and requirements for           licenses.\nmanaging server software licenses and does\nnot have a centralized, enterprise-wide              Although the IRS agreed that inadequate\norganizational structure for managing server         management of server software licenses is a\nsoftware licenses.                                   problem, it did not agree that it has resulted in\n                                                     significant waste and believes it has mitigated\nThe IRS does not have an enterprise-wide             some of these issues with a software contract\ninventory of license purchase and deployment         that was awarded at the end of 2012.\ndata on server-based software, nor does it have\n\x0c                                            DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 25, 2014\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Internal Revenue Service Should\n                             Improve Server Software Asset Management and Reduce Costs\n                             (Audit # 201320024)\n\n This report presents the results of our review of the Internal Revenue Service\xe2\x80\x99s (IRS)\n management of server software licensing. The overall objective of this review was to determine\n whether the IRS is adequately managing server software licenses. This review is included in our\n Fiscal Year 2014 Annual Audit Plan and addresses the major management challenge of\n Achieving Program Efficiencies and Cost Savings.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendation. If you have any questions, please contact me or Danny Verneuille, Acting\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                                 The Internal Revenue Service Should Improve\n                             Server Software Asset Management and Reduce Costs\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Internal Revenue Service Does Not Effectively\n          Manage Server Software Licenses ................................................................ Page 4\n                    Recommendation 1:........................................................ Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 18\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 22\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 23\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 24\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 26\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 29\n\x0c            The Internal Revenue Service Should Improve\n        Server Software Asset Management and Reduce Costs\n\n\n\n\n                   Abbreviations\n\nGSA          General Services Administration\nIBM          International Business Machines\nIRS          Internal Revenue Service\nIT           Information Technology\nITIL\xc2\xae        Information Technology Infrastructure Library\nTIGTA        Treasury Inspector General for Tax Administration\nVCMO         Vendor and Contract Management Office\n\x0c                               The Internal Revenue Service Should Improve\n                           Server Software Asset Management and Reduce Costs\n\n\n\n\n                                              Background\n\nSoftware asset management is a process for tracking and reporting the use and ownership of\nsoftware assets. Forrester Research Inc.1 defines software asset management as:\n           The systematic automation of processes to reconcile software licenses and statements of\n           entitlement, maintenance contracts, and original media with installed software and those\n           processes for discovering deployed software assets; to reconcile the assets to their\n           licenses, maintenance contracts, and definitions of entitlement; and to report on\n           compliance and discrepancies in such a way as to minimize the risk of legal action by\n           software vendors as well as loss of service to users or of reputation in the wider world.\nA critical part of software asset management is server software license management. The\nobjective of software license management is to manage, control, and protect an organization\xe2\x80\x99s\nsoftware assets, including management of the risks arising from the use of those software assets.\nProper management of software licenses helps to minimize risks by ensuring that licenses are\nused in compliance with licensing agreements and cost-effectively deployed and that software\npurchasing and maintenance expenses are properly controlled.\nSoftware license management can be difficult because:\n      \xef\x82\xb7    A large amount of information on software and hardware must be discovered and stored.\n      \xef\x82\xb7    Data need to be kept current on more than an annual basis.\n      \xef\x82\xb7    Identifying installed software and software license use may be affected by the\n           complexities in software installation and license use.\n      \xef\x82\xb7    Licensing models and definitions may significantly differ depending on the software\n           product and vendor.\nFederal requirements established by Executive Orders, the Federal Chief Information Officer\nCouncil, the National Institute of Standards and Technology, and the Department of the Treasury\nas well as recommended industry best practices govern the use and management of software\nlicenses. These sources provide guidance to ensure that software licenses are 1) efficiently\npurchased and are not being nondeployed or underdeployed, 2) used in compliance with\ncopyright laws, and 3) inventoried through the use of adequate recordkeeping systems that\ncontrol and track the use of licenses.\nDue to the complexity of the Internal Revenue Service\xe2\x80\x99s (IRS) software license environment, the\nTreasury Inspector General for Tax Administration (TIGTA) conducted three separate audits on\n\n1\n    See Appendix V for a glossary of terms.\n                                                                                              Page 1\n\x0c                           The Internal Revenue Service Should Improve\n                       Server Software Asset Management and Reduce Costs\n\n\n\nthe issue: 1) desktop and laptop environment, 2) mainframe environment, and 3) server\nenvironment. In the two previous TIGTA audits,2 we reported that for the desktop and laptop\nenvironment and the mainframe environment, the IRS did not:\n    \xef\x82\xb7   Adequately perform software license management.\n    \xef\x82\xb7   Adhere to Federal requirements and recommended industry best practices.\n    \xef\x82\xb7   Have enterprise-wide or local policies, procedures, and requirements for software license\n        management.\n    \xef\x82\xb7   Have defined roles and responsibilities and a centralized organizational structure for\n        managing software licenses.\n    \xef\x82\xb7   Use specialized software license tools designed to be the repository for software and\n        software license deployment. These tools should be used to discover, track, manage, and\n        detect inactive usage of software licenses.\n    \xef\x82\xb7   Have an accurate inventory of software and related licenses that contains licensing\n        models applicable to each software product which links data on the licenses purchased\n        and deployed with the purchase costs, procurement information, and monitoring and\n        usage data.\nTo address the reported issues, the IRS planned corrective actions to implement TIGTA\nrecommendations regarding:\n    \xef\x82\xb7   The development of policies, procedures, and requirements for managing software\n        licenses using Information Technology Infrastructure Library (ITIL\xc2\xae) best practices.\n    \xef\x82\xb7   The development of roles and responsibilities for software license management.\n    \xef\x82\xb7   The development of an enterprise-wide organizational structure to manage software\n        licenses.\n    \xef\x82\xb7   The implementation of specialized software tool(s) designed to discover, track, and\n        manage software licenses.\n    \xef\x82\xb7   The development of standard operating procedures for using software tools to manage\n        software licenses.\n    \xef\x82\xb7   The development of an enterprise-wide inventory of software licensing data and\n        maintaining the inventory with specialized software license tools.\n\n\n\n2\n TIGTA, Ref. No. 2013-20-025, Desktop and Laptop Software License Management Is Not Being Adequately\nPerformed (Jun. 2013) and TIGTA, Ref. No. 2014-20-002, The Internal Revenue Service Should Improve\nMainframe Software Asset Management and Reduce Costs (Feb. 2014).\n                                                                                                  Page 2\n\x0c                         The Internal Revenue Service Should Improve\n                     Server Software Asset Management and Reduce Costs\n\n\n\n   \xef\x82\xb7   Maintaining data in the inventory system that the IRS can use to more effectively review\n       software licensing agreements, purchases, deployment, usage, and other related aspects of\n       licensing to identify additional savings in software spending.\nWhile the prior audits focused on the desktop and laptop environment and the mainframe\nenvironment, this audit focused on the software and license management of the IRS\xe2\x80\x99s server\nenvironment.\nThis review was performed at the Information Technology (IT) organization\xe2\x80\x99s Enterprise\nOperations and Strategy and Planning organizations in New Carrollton, Maryland, and the IRS\nCampus in Austin, Texas. Additionally, information was obtained from the many business units\nthat were managing software products we reviewed, such as the Research, Analysis and Statistics\nfunction; the Communications and Liaison function; the Wage and Investment Division; the\nLarge Business and International Division; the Agency-Wide Shared Services; and other\nfunctions within the IT organization during the period May 2013 to March 2014.\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                          Page 3\n\x0c                            The Internal Revenue Service Should Improve\n                        Server Software Asset Management and Reduce Costs\n\n\n\n\n                                    Results of Review\n\nThe Internal Revenue Service Does Not Effectively Manage Server\nSoftware Licenses\nExecutive Order 13103, Computer Software Piracy, requires and ITIL best practices recommend\nthe development of software license management policies and procedures and roles and\nresponsibilities. The ITIL and industry best practices recommend a centralized, enterprise-wide\nmanagement structure for software asset management. These best practices indicate that some of\nthe most significant benefits of software asset management, both cost and risk-management\nbenefits, come from managing software on an enterprise-wide basis. An enterprise-wide\nmanagement structure can actively manage software assets to know the location, configuration,\nand usage history of every product. In addition, an enterprise-wide management structure\nsupported by an enterprise-wide inventory and automated software license management tools can\nbetter provide procurement staff with the detailed and accurate information needed to negotiate\nflexible, cost-effective contracts and form the basis for cost reduction projects such as platform\nstabilization, volume bundling, securing longer term agreements, and vendor or hardware\nconsolidation. In September 2010, the IRS\xe2\x80\x99s Chief Technology Officer outlined a goal to have\nthe IT organization implement the ITIL best practices over the next several years. The IRS\nreported that the IT organization had achieved ITIL Maturity Level 3 in October 2012.\nExecutive Orders;3 Department of the Treasury Directive 85-02, Software Piracy Policy;4 and\nInternal Revenue Manual 10.8.25 require and ITIL and industry best practices recommend\ncreating and maintaining accurate enterprise-wide inventories of installed software and licenses.\nThese inventories should contain licensing models applicable to each software product and link\nthe data on licenses bought and deployed, including costs. This will help ensure that software\npurchased is not nondeployed or underdeployed and that software is used in compliance with\ncopyright laws.\nThe National Institute of Standards and Technology Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems and Organizations,6 and Treasury Directive\nPublication 85-01, Treasury IT Security Program,7 require and ITIL and industry best practices\nrecommend implementing enterprise-wide software asset discovery, network scanning, license\n\n3\n  Exec. Order No. 13103, Computer Software Piracy (1998), and Exec. Order No. 13589, Promoting Efficient\nSpending (2011).\n4\n  Dated May 4, 2010.\n5\n  Internal Revenue Manual 10.8.2 (Sept. 9, 2012).\n6\n  Dated Aug. 2009.\n7\n  Dated Nov. 3, 2006.\n                                                                                                       Page 4\n\x0c                             The Internal Revenue Service Should Improve\n                         Server Software Asset Management and Reduce Costs\n\n\n\nmanagement, and license metering tools. Software asset discovery tools are used to identify\ninstalled software and collect relevant details about each installed software product. Network\nscanning tools are used to detect and remove any unauthorized or unlicensed installed software.\nSoftware license management tools help to ensure compliance with licensing agreements by\ntracking license usage, linking upgrades to original licenses, linking licenses bought to licenses\nused, and managing the stock of unused licenses. License metering tools help to ensure that\nlicenses are used cost effectively by detecting installed software that is not being used, is being\nunderutilized, or is being overutilized so that the licenses can be managed effectively.\n\nThe IRS does not have defined policies and procedures or roles and\nresponsibilities for server software license management\nThe IRS does not have an enterprise-wide software licensing program designed around industry\nbest practices. The IRS does not have enterprise-wide or local policies, procedures, and\nrequirements for managing server software licenses. The IRS has defined software asset and\nlicense management roles and responsibilities only for the Chief Information Officer/Chief\nTechnology Officer in Internal Revenue Manual 10.8.2, IT Security Roles and Responsibilities.8\nInternal Revenue Manual 2.14.1, Asset Management, Information Technology (IT) Asset\nManagement,9 does not provide any additional roles and responsibilities for software asset and\nlicense management.\nTwo offices within the IT organization have mission statements that suggest those functions have\nsome responsibility for managing server software assets and licenses. However, personnel in the\noffices stated that they do not have any defined server software license management policies and\nprocedures or roles and responsibilities.\n      \xef\x82\xb7   Security Operations and Standards Division. Part of the mission of this division is to\n          oversee infrastructure inventory, asset management, and procurement. The Acquisition\n          and Contracts Management Section within this division processes software requisitions\n          for most mainframe and server software. To process software requisitions, the\n          IT organization works with customers in preparing, approving, and submitting\n          requisitions to the IRS Office of Procurement. While the Acquisition and Contracts\n          Management Section reviews mainframe and server requisitions, including ones it does\n          not process, the section does not perform any analysis or report on software contracts or\n          licensing. The section does not perform any comparative analysis of software\n          requisitions to software inventory to determine if software purchases could be made more\n          cost effectively.\n      \xef\x82\xb7   Vendor and Contract Management Office (VCMO). The mission of this office is to\n          maximize the value of information technology investments by implementing effective\n\n\n8\n    Dated April 29, 2011.\n9\n    Dated November 8, 2011.\n                                                                                             Page 5\n\x0c                             The Internal Revenue Service Should Improve\n                         Server Software Asset Management and Reduce Costs\n\n\n\n        sourcing strategies, monitoring vendor performance and contract management, and\n        facilitating strong acquisition governance processes.\nThe IRS also does not have a centralized, enterprise-wide organizational structure for managing\nserver software licenses. Functions managing server licenses are dispersed throughout the\nIT organization and business units depending on factors such as whether the software is platform\ninfrastructure, a specialized application used by a specific business unit, and in general, what\nprocess the software is used to perform. However, the VCMO has recently begun conducting\nactivities that are partially related to centralized, enterprise-wide software license management\nfor International Business Machines (IBM) and Microsoft server and workstation software, as\nexplained in the next section. VCMO personnel stated that, in response to a prior TIGTA audit\nreport recommendation,10 they are in the process of developing roles, responsibilities, and\nstandards for an enterprise-wide software asset management program.\nOur review of 23 server software products revealed that the IRS is not adequately managing\nserver software licenses. Figure 1 shows that licenses for eight software products were\nunderdeployed by an average of 41.9 percent of the licenses owned, at an estimated cost of\n$5.3 million and an estimated average of $666,000 per software product. Licenses for one\nsoftware product were overdeployed by 1,150.0 percent of the licenses owned, at an estimated\ncost of $11.6 million. Our figures on license underdeployments only include amounts in excess\nof 10 percent of the number of licenses purchased.11\n\n\n\n\n10\n   TIGTA, Ref. No. 2013-20-025, Desktop and Laptop Software License Management Is Not Being Adequately\nPerformed (Jun. 2013).\n11\n   We allowed a 10-percent cushion for the purchase of additional licenses that might have been bought at volume\ndiscount prices in anticipation of additional licenses being needed in the near future.\n                                                                                                           Page 6\n\x0c                              The Internal Revenue Service Should Improve\n                          Server Software Asset Management and Reduce Costs\n\n\n\n             Figure 1: Software Licenses Underdeployed and Overdeployed\n\n                                     Number of\n                Number of            Licenses                  Percentage of\n                 Licenses         Underdeployed or           Underdeployment\nSoftware        Purchased          Overdeployed             or Overdeployment               Estimated Cost\n\n                                                Underdeployment12\n\nProduct 1          1,056                   298                       28.2            $1.7 million on licenses\n                                                                                     $1.6 million on licenses and\nProduct 2          3,374                  2,870                      85.1\n                                                                                     one year of maintenance\n                                                                                     $850,000 on licenses and\nProduct 3         153,500                11,290                      7.4\n                                                                                     one year of maintenance\n                                                                                     $838,000 on licenses and\nProduct 4         104,920                16,478                      15.7\n                                                                                     one year of maintenance\n                 Unlimited         One entire module\n                                                                                     $148,000 on licenses and\nProduct 5     across multiple     not deployed (20.9%                20.9\n                                                                                     five years of maintenance\n                 modules             of the contract)\n                                                                                     $96,000 on licenses and\nProduct 6         250,000                69,932                      28.0\n                                                                                     two years of maintenance\n                                                                                     $68,000 on licenses and\nProduct 7            18                    1813                     100.0\n                                                                                     three years of maintenance\n                                                                                     $26,000 on licenses and\nProduct 8             4                     2                        50.0\n                                                                                     one year of maintenance\n Total 8                                                                             $5.3 million\n                                                               41.9 (average)\nProducts                                                                             (average $666,000)\n\n                                                  Overdeployment\n\n                                                                                     $11.6 million for additional\nProduct 9            32                    368                     1,150.0           licenses and maintenance\n                                                                                     for one year\n Source: TIGTA analysis of IRS purchase records, software and hardware data, and discussions with IRS\n IT organization and business unit management and personnel.\n\n\n\n\n12\n   We allowed a 10-percent cushion for the purchase of additional licenses that might have been bought at volume\ndiscount prices in anticipation of additional licenses being needed in the near future. The number of underdeployed\nlicenses is in excess of the 10-percent cushion.\n13\n   Cushion not allowed because no licenses were deployed.\n                                                                                                            Page 7\n\x0c                         The Internal Revenue Service Should Improve\n                     Server Software Asset Management and Reduce Costs\n\n\n\nIn addition to underdeployment and overdeployment of server software licenses, our review of\nthe 23 server software products identified the following instances of inadequate software license\ntracking and management:\n   \xef\x82\xb7   For 11 products, the IRS did not have documentation explaining the terms, definitions,\n       limitations, or conditions imposed by the software\xe2\x80\x99s license model. Such documentation\n       explaining the license model should be retained to ensure that the model is properly\n       applied to deployed licenses. For one of the 11 products (Product 9), the IRS\n       misunderstood the license model, causing the licenses to be significantly overdeployed.\n   \xef\x82\xb7   For 15 products, the IRS did not have reports that tracked the number of licenses\n       deployed against the number of licenses purchased.\n           o For six of the 15 products, a local informal discussion was held annually when\n             maintenance needed to be purchased. For these six products, we obtained data on\n             installed instances of the software and the servers the software was installed on to\n             determine the number of licenses deployed. We determined that four products did\n             not result in underdeployment or overdeployment of licenses, but for one product\n             (Product 9), significant overdeployment of licenses had occurred, and for another\n             product (Product 8), licenses were underdeployed.\n           o For three of the 15 products, the IRS maintained data from which it could perform\n             extractions to determine the number of licenses deployed. We requested that\n             reports be prepared for these three products and found that licenses were being\n             underdeployed for each of the three products (Products 1, 3, and 4).\n           o For two of the 15 products, the IRS could not provide any data that could be used\n             to determine the number of licenses deployed.\n           o For four of the 15 products, the nature of the license model did not require\n             tracking of deployed licenses.\n\nThe IRS does not use software license tools and does not maintain server license\ninventories in accordance with Federal requirements and industry best practices\nNeither the Enterprise Operations organization nor the VCMO within the IT organization has an\nenterprise-wide inventory of license purchase and deployment data on server-based software or\nany specialized software license management tools for developing and maintaining such an\nenterprise-wide inventory. The functions managing licenses are dispersed (decentralized)\nthroughout the IT organization and business units. Any license tracking records are stored\nlocally. Decentralized groups that may be managing and tracking licenses on server software are\ndoing so by using queries, spreadsheets, record systems, scanning tools not specifically designed\nfor software license management to gather rough software data, utilities unique to the software\nproduct being tracked, and manual calculations to maintain their own software licensing records.\n\n\n                                                                                            Page 8\n\x0c                         The Internal Revenue Service Should Improve\n                     Server Software Asset Management and Reduce Costs\n\n\n\nThe VCMO was the only function we identified that was conducting activities that are partially\nrelated to centralized, enterprise-wide software license management, and they were doing it for\nonly IBM and Microsoft server and workstation software. However, these activities were not an\nadequate software license management process, did not use specialized software license\nmanagement tools, and did not produce software license inventories for all IBM and Microsoft\nsoftware.\nEven though the IRS does not have written policies and procedures for managing server software\nlicenses, through interviews, we obtained information on the local approach or processes used by\nthe VCMO to manage server software licenses for IBM and Microsoft software. To determine\nthe number of licenses deployed, the VCMO begins by using a search tool to find IBM and\nMicrosoft server software in an IRS database containing data on installed instances of software\nand the computers the software is installed on. The data are on installed software instances\nbecause the scanning tool that creates the database has no licensing scanning capability. The\nsearch for IBM and Microsoft server software within this database produces a server table that\nlists servers having installed instances of IBM and Microsoft software, along with data on the\nsoftware and the servers. Because licensing models can vary among different software, the\nVCMO then has to use the hardware and software data provided in the table, or from other\nsources as appropriate, to calculate the number of licenses deployed on the servers in this table.\nThe VCMO uses the data in the server table to create a license deployment table listing software\nand the number of licenses deployed. The VCMO obtains from IBM and Microsoft data on\nsoftware and licenses purchased by the IRS to create a license entitlement table listing software\nand the number of licenses purchased.\nThese tables do not contain any reports matching the number of licenses deployed to the number\npurchased on any IBM or Microsoft software product. Performing a license reconciliation is not\nas simple as just matching a software product in the license deployment table to the license\nentitlement table because software titles are often named differently due to the data in the\ntwo tables coming from different sources. Sometimes the server table with the query results\nneeds to be researched again in a different way to more accurately determine the number of\nlicenses deployed. These three tables give the VCMO the capability to perform additional\nanalysis and calculations on a request basis. The VCMO uses these tables to produce license\nreports only on a case-by-case basis when a report is needed on specific IBM and Microsoft\nsoftware products, e.g., when data are needed for contract renewals. However, we could not\nreview these reports because the VCMO did not save the reports or worksheets.\nThe activities performed by the VCMO for tracking the deployment of software licenses and\nentitlement on IBM and Microsoft software are not considered adequate software license\nmanagement because:\n   \xef\x82\xb7   This capability is used only on specific software when requested, usually during contract\n       renewal. The process is more for contract management than software license\n       management. The process provides tables of information so that when it is time to renew\n\n                                                                                           Page 9\n\x0c                          The Internal Revenue Service Should Improve\n                      Server Software Asset Management and Reduce Costs\n\n\n\n       a contract, personnel can refer to the tables and only have to perform the additional\n       analysis and calculations to determine license requirements. After the contract is\n       renewed, the process does not provide ongoing software license tracking and\n       management with frequent inventory updating.\n   \xef\x82\xb7   The process does not result in an inventory list of software products showing the number\n       of licenses purchased and deployed. The VCMO stated that they have neither the\n       resources nor the tools to perform all of the additional analysis and calculations necessary\n       to regularly prepare license reconciliation reports on all of the IBM and Microsoft\n       software being used by the IRS.\n   \xef\x82\xb7   The VCMO has calculated license deployment and license entitlement only on specific\n       software requests it receives and did not keep the additional worksheets and license\n       reports after they were provided to the requestors.\n   \xef\x82\xb7   The scanning tool that creates the IRS database containing data on installed instances of\n       software and the computers the software is installed on cannot reach all computers that\n       have the software installed, causing VCMO calculations of deployment counts to be\n       undercounted.\nFor eight of the 23 server software products we reviewed, the IRS had reports that tracked the\nnumber of licenses deployed against the number of licenses purchased, but seven of the eight\nsoftware products records were being maintained locally, not in a centralized inventory, and\ntools designed for software license management were not being used.\nWithout these tools and a software asset and license management structure in place, the IRS\ncannot effectively determine if the software contracts it enters into are reflective of its current or\nfuture projected server software license and support needs. In addition, the IRS cannot, from an\nenterprise-wide basis, effectively manage its server software and license compliance to the\ncontract option-year renewals. In September 2007, the IRS entered into a one-year contract with\nfour option years for the use and support of IBM software. In September 2012, an external\ncontractor hired by the prime contractor, i.e., IBM, completed a compliance review of the IRS\xe2\x80\x99s\ncontract for IBM software and related licensing. Using asset discovery, network scanning,\nlicense management, and license metering tools, this contractor found several issues that\nincluded nondeployed, underdeployed, and overdeployed software licenses that the IRS had\npurchased under the contract. In turn, the IRS hired its own contractor, costing $50,000, to\nevaluate the compliance review results and to assist the IRS in negotiating a new contract\nagreement. The IRS-hired contractor did not dispute the results from the compliance review.\nAs shown in Figures 2 through 4, TIGTA used data from the original compliance review and the\nGeneral Services Administration (GSA) list price costs to estimate the extent that the licenses for\nserver software were nondeployed, underdeployed, and overdeployed and the related estimated\n\n\n\n\n                                                                                              Page 10\n\x0c                              The Internal Revenue Service Should Improve\n                          Server Software Asset Management and Reduce Costs\n\n\n\nvalue.14 Figure 2 shows that no licenses were deployed for 43 software products at the time of\nthe compliance review, at an estimated range of value from $43.3 million to $62.0 million and an\nestimated average range of $1.0 million to $1.4 million per software product. This range could\nbe lower or higher depending on the extent that the IRS had used the licenses prior to the\ncompliance review. However, the IRS does not know if the software licenses were ever used.\n                      Figure 2: IBM Software With No Licenses Deployed\n\n                                                        Estimated Values\n\n      Software                      GSA Price List                             30-Percent Discount15\xc2\xa0\n\n      Product 1                       $14.6 million                                 $10.2 million\n      Product 2                       $10.4 million                                  $7.3 million\n      Product 3                       $7.2 million                                   $5.0 million\n      Product 4                       $5.4 million                                   $3.8 million\n      Product 5                       $5.0 million                                   $3.5 million\n      Product 6                       $4.6 million                                   $3.2 million\n      Product 7                       $1.9 million                                   $1.3 million\n      Product 8                       $1.9 million                                   $1.3 million\n      Product 9                       $1.3 million                                   $0.9 million\n     Product 10                       $1.3 million                                   $0.9 million\n     33 Products            $8.4 million (average $255,000)               $5.9 million (average $178,800)\n\n      Total 43\n                         $62.0 million (average $1.4 million)          $43.3 million (average $1.0 million)\n      Products\n\n     Source: TIGTA analysis of IRS and contractor records, 2012 GSA Price List, and discussions with\n     IRS IT organization management and personnel.\n\nFigure 3 shows that licenses for 18 software products were underdeployed by an average of\n66.5 percent of the licenses owned at the time of the compliance review, at an estimated range of\nvalue from $32.8 million to $46.8 million and an estimated average range of $1.8 million to\n$2.6 million per software product. This range could be lower or higher depending on the extent\n\n\n14\n   We used GSA list prices because the IBM contract in effect when the compliance review was performed did not\ninclude itemized pricing information that TIGTA could use to determine the exact cost of the nondeployed,\nunderdeployed, and overdeployed software licenses and related software and subscription support. The GSA list\nprice was the only itemized pricing information available.\n15\n   The IRS commented that, due to its volume purchasing of IBM software, it received a 30-percent discount off the\nGSA price; however, the IRS is unable to provide any supporting evidence of the discount.\n                                                                                                         Page 11\n\x0c                              The Internal Revenue Service Should Improve\n                          Server Software Asset Management and Reduce Costs\n\n\n\nthat the IRS had used the licenses prior to the compliance review. However, the IRS does not\nknow if the software licenses were ever used. Our figures on license underdeployments only\ninclude amounts in excess of 10 percent of the number of licenses purchased.\n                      Figure 3: IBM Software With Licenses Underdeployed\n\n                                                                         Estimated Values\n\n                            Percentage of                                                    30-Percent\n       Software            Underdeployment                   GSA Price List                  Discount16\n\n       Product 1                   79.9                         $7.5 million                 $5.2 million\n       Product 2                   83.1                         $6.3 million                 $4.4 million\n       Product 3                   80.0                         $6.1 million                 $4.3 million\n       Product 4                   42.5                         $5.4 million                 $3.8 million\n       Product 5                   86.1                         $4.3 million                 $3.0 million\n       Product 6                   89.8                         $3.8 million                 $2.7 million\n       Product 7                   89.7                         $2.7 million                 $1.9 million\n       Product 8                   89.3                         $2.4 million                 $1.7 million\n       Product 9                   89.7                         $2.2 million                 $1.5 million\n      Product 10                   34.1                         $2.0 million                 $1.4 million\n                                                               $4.1 million                 $2.9 million\n     Eight Products          54.1 (average)\n                                                           (average $513,000)           (average $362,500)\n\n       Total 18                                               $46.8 million               $32.8 million\n                             66.5 (average)\n       Products                                           (average $2.6 million)      (average $1.8 million)\n\n     Source: TIGTA analysis of IRS and contractor records, 2012 GSA Price List, and discussions with\n     IRS IT organization management and personnel.\n\nFigure 4 shows that licenses for 11 software products were overdeployed by an average of\n309.1 percent of the licenses owned, at an estimated range of value from $12.0 million to\n$17.2 million and an estimated average range of $1.1 million to $1.6 million per software\nproduct.\n\n\n\n\n16\n The IRS commented that due to its volume purchasing of IBM software it received a 30-percent discount off the\nGSA price; however, the IRS is unable to provide any supporting evidence of the discount.\n                                                                                                        Page 12\n\x0c                              The Internal Revenue Service Should Improve\n                          Server Software Asset Management and Reduce Costs\n\n\n\n                     Figure 4: IBM Software With Licenses Overdeployed\n\n                                                                        Estimated Values\n                            Percentage of\n      Software\n                           Overdeployment\n                                                            GSA Price List            30-Percent Discount17\n\n      Product 1                  129.0                        $4.4 million                  $3.1 million\n      Product 2                   84.0                        $4.3 million                  $3.0 million\n      Product 3                  462.5                        $4.2 million                  $2.9 million\n      Product 4                   96.7                        $2.0 million                  $1.4 million\n      Product 5                  445.0                        $1.0 million                  $0.7 million\n     Six Products           363.8 (average)                   $1.3 million                  $0.9 million\n                                                          (average $217,000)            (average $150,000)\n\n      Total 11                                              $17.2 million                 $12.0 million\n                            309.1 (average)\n      Products                                          (average $1.6 million)        (average $1.1 million)\n\n     Source: TIGTA analysis of IRS and contractor records, 2012 GSA Price List, and discussions with\n     IRS IT organization management and personnel.\n\nIRS management informed us of several potential factors it believed affected the software license\nnondeployments and underdeployments in Figures 2 and 3.\n      \xef\x82\xb7   Some license underdeployment could be attributed to software that is in the process of\n          being replaced by a different product prior to expiration of the entitlements, resulting in\n          significant short-term underdeployments until the entitlements expire.\n      \xef\x82\xb7   Some license underdeployment could be attributed to software that is in the process of\n          being deployed as a project grows.\n      \xef\x82\xb7   Some nondeployed licenses could be for software modules within a large software suite\n          that the IRS has no need for but must buy as a package from the vendor.\nIRS management also commented that the estimated costs we provided are inflated because the\nIRS is a large purchaser of IBM software and it pays less than the GSA price. However, the IRS\nwas unable to provide documentation to support that the comment and potential factors\nspecifically applied to the software in Figures 2 through 4. Nonetheless, to account for the\npossibility that the IRS received a substantially discounted price, we provide a range of values in\nFigures 2 through 4.\n\n\n\n17\n The IRS commented that due to its volume purchasing of IBM software it received a 30-percent discount off the\nGSA price; however, the IRS is unable to provide any supporting evidence of the discount.\n                                                                                                       Page 13\n\x0c                          The Internal Revenue Service Should Improve\n                      Server Software Asset Management and Reduce Costs\n\n\n\nThe IRS does not have enterprise-wide or local server software asset and license management\npolicies and procedures, an asset and license management structure, or defined roles and\nresponsibilities in accordance with Federal requirements and industry best practices. The IRS\ndoes not have an enterprise-wide inventory of server software assets and software licensing data\nin accordance with Federal requirements and industry best practices. Additionally, the IRS has\nnot identified and implemented automated software license tools for the enterprise-wide\nmanagement of server software assets and licenses. This is due, in part, to Internal Revenue\nManual 2.14.1, Asset Management, Information Technology (IT) Asset Management\n(November 8, 2011), which states in section 13.17 that software management is under\ndevelopment and that procedures are being defined.\nThe lack of an enterprise-wide inventory with comprehensive data on all server software assets\nand software licensing impedes the IRS\xe2\x80\x99s ability to more effectively analyze the relationships\namong its software license agreements and vendors to more cost effectively buy software\nlicenses and maintenance. In an effort to offset budget constraints, the IT organization created\nthe VCMO with a mandate to create savings by promoting innovative sourcing alternatives that\ngenerate the same or additional value while minimizing risk. Because the IRS does not have\nadequate software licensing tools and inventories, the VCMO has to improvise using various\ntools and data and search various record systems to manually compile hardware and software\ndata and then perform additional calculations to conduct software licensing analysis. The\nVCMO has achieved some software licensing savings during the last two years, but we believe\nthat better software license inventories and tools would enable it to identify additional savings\nopportunities.\nUntil the IRS addresses the issues presented in this report, it is incurring increased risks in\nmanaging software licenses. These risks include: 1) not complying with licensing agreements,\nwhich could result in embarrassment, legal problems, and financial liability; 2) not using licenses\nin the most cost-effective manner; and 3) not effectively using licensing data to reduce software\npurchase and software maintenance costs. In fact, these deficiencies have already resulted in\nlicenses for server software being nondeployed or underdeployed (with an estimated cost in the\nrange of $81.4 million to $114.1 million) and overdeployed (with an estimated value in the range\nof $23.6 million to $28.8 million.\nBecause the IRS does not have an enterprise-wide software licensing program designed around\nindustry best practices, dispersed functions throughout the IT organization and business units are\nperforming software license management at inconsistent levels of quality. For example:\n   \xef\x82\xb7   For one of the 23 software products we reviewed, the staff created a SharePoint website\n       to manage software licenses. The site had the software license agreement, written\n       procedures prepared by the staff for managing and tracking the deployment of software\n       licenses, and other documentation on the software. They also created a database\n       containing data on the servers to which licenses had been assigned, which enables them\n       to produce reports for managing the licenses. The staff periodically refers to an IRS list\n\n                                                                                           Page 14\n\x0c                         The Internal Revenue Service Should Improve\n                     Server Software Asset Management and Reduce Costs\n\n\n\n       of active computers and returns to inventory licenses on computers no longer in use. This\n       enables them to reassign those licenses when new needs arise instead of purchasing\n       additional licenses. As a result of this manual process created by the local personnel\n       managing this software product, the number of software licenses deployed was within\n       close range to the number purchased. Annual maintenance was being purchased only on\n       those licenses being used and on additional licenses that might need to be deployed\n       within the upcoming fiscal year.\n   \xef\x82\xb7   For another of the 23 software products we reviewed, software license management was\n       being performed informally with various staff conferring annually to discuss the purchase\n       of software license maintenance. They could not provide us with any records to support\n       the deployment of the software and software licenses. They did not have a copy of the\n       software license agreement needed to understand the license model and had to obtain it\n       from the vendor at our request. We requested that the IRS provide us with detailed data\n       on the servers that had installed instances of the software so that we could compute the\n       number of software licenses being used. We determined that the IRS was significantly\n       overdeploying software licenses. The IRS had purchased 32 licenses but needed at least\n       400 licenses. We determined that the cost to purchase and pay annual maintenance on\n       368 additional licenses for Fiscal Year 2013 was about $11.6 million using the actual\n       costs incurred by the IRS to purchase and pay annual maintenance on the 32 licenses.\n       IRS staff misunderstood the license metric and believed that the licenses purchased\n       resulted in one license that allowed unlimited use of the software. The IRS plans to\n       contact the vendor to determine corrections that need to be made to this license purchase.\n\nRecommendation\nTo improve the management of server software licenses based on Federal requirements and\nrecommended industry best practices, the Chief Technology Officer should:\nRecommendation 1: Incorporate server software license management in the enterprise-wide\nsoftware management program currently under development.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation, and\n       server software is already being considered as a component of the enterprise-wide\n       software management program under development. Additionally, an Enterprise Software\n       Governance Board has been established along with an Enterprise Software Governance\n       Board Working Group. This effort includes the development of a standardized process\n       for ensuring consistency in asset management across the enterprise. IRS management\n       also stated that they have already completed actions to ensure that software management\n       policies and guidance are aligned to and include the protocols, functions, and\n       decisionmaking outcomes across enterprise units through the Enterprise Software\n       Governance Board. The IRS is working to complete a number of other software\n       management actions, including developing an enterprise-wide repeatable method to\n\n                                                                                         Page 15\n\x0c                  The Internal Revenue Service Should Improve\n              Server Software Asset Management and Reduce Costs\n\n\n\nmanage and track the deployment of licenses that can be uniformly used by all\norganizational entities responsible for managing licenses. These and other efforts under\ndevelopment will help move the IRS towards a comprehensive enterprise program for\nsoftware license management.\nWhile the IRS agreed with our recommendation to improve the management of server\nsoftware licenses, the IRS disagreed with TIGTA\xe2\x80\x99s findings on the overdeployment,\nunderdeployment, and nondeployment of software licenses and the related outcome\nmeasures. Specifically:\n   \xef\x82\xb7   The IRS stated that it found discrepancies in TIGTA\xe2\x80\x99s analysis that stem from a\n       misinterpretation of how IBM software is licensed and what constitutes\n       underdeployment, overdeployment, and nondeployment of perpetual licenses.\n       The IRS also stated that it found instances in which TIGTA calculated values\n       using license costs but a maintenance cost would have been more appropriate.\n   \xef\x82\xb7   The IRS disagreed with all of the IBM server software found by TIGTA to have\n       nondeployed and underdeployed licenses in Figure 2: IBM Software With No\n       Licenses Deployed and in Figure 3: IBM Software With Licenses Underdeployed.\n       The IRS stated that TIGTA\xe2\x80\x99s estimated values should only contain the cost of\n       annual support because the IRS already owns these licenses, whereas TIGTA\n       based its estimated values on the cost of purchasing the nondeployed and\n       underdeployed licenses as well as their annual support costs.\n   \xef\x82\xb7   The IRS disagreed that licenses were overdeployed on nine of the 11 IBM\n       software products shown in Figure 4: IBM Software With Licenses\n       Overdeployed.\n   \xef\x82\xb7   The IRS also disagreed that licenses were underdeployed and overdeployed on\n       six of the nine software products shown in Figure 1: Software Licenses\n       Underdeployed and Overdeployed.\nOffice of Audit Comment: We did not include any unlimited licenses within the\nreport calculations and not all IBM products reviewed and presented in this report were\ncovered by a perpetual license. To determine the extent that IBM licenses were\nunderdeployed, overdeployed, and nondeployed, we relied on a study performed by a\ncontractor, the results of which were reviewed and not disputed by another IRS contractor\nas well as IRS staff.\nIn estimating the value of nondeployed, underdeployed, and overdeployed licenses, we\nused the one-time GSA price of purchasing the licenses at the point in time we performed\nour review. We also included the GSA price of annual maintenance because it is an\nannual recurring cost of maintaining the licenses. The IRS asserted that we should have\nonly used maintenance costs. This methodology would be appropriate if the IRS\ndemonstrated that it had ever deployed or utilized these software licenses. We requested\n                                                                                  Page 16\n\x0c                  The Internal Revenue Service Should Improve\n              Server Software Asset Management and Reduce Costs\n\n\n\nbut did not obtain software license utilization and costing information from the IRS on\nthe IBM software in the contractor study.\nThe IRS is unable to accurately track utilization of its software license assets and does\nnot have any detailed costing information for the software license assets presented in this\nreport. We note in the report that the estimated range of the cost of nondeployed or\nunderdeployed licenses could be lower if the IRS had ever used the software; however, it\nshould be noted that the total cost over time of this software could actually be higher. We\nonly included the license cost and the cost of maintenance for one year even though the\nIRS owned and paid maintenance for several years on many of these software products.\nThe amount of underpayment for the overdeployed licenses could also be higher over\ntime. Moreover, the range we report also includes the potential discounted price to\naccount for the possibility that the IRS received a substantial discount due to the volume\nand bundling even though the IRS does not have any documentation supporting this\nclaimed discount.\nFinally, in our review of 23 server software products, we held numerous meetings with\nsubject matter experts from the VCMO, Enterprise Operations organization, Office of\nProcurement, and various other business units involved in the procurement, installation,\nand use of the software. When available, we obtained and reviewed documentation\nprovided by these individuals to develop our estimated values.\n\n\n\n\n                                                                                   Page 17\n\x0c                               The Internal Revenue Service Should Improve\n                           Server Software Asset Management and Reduce Costs\n\n\n\n                                                                                     Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is adequately managing\nserver software licenses. To accomplish our objective, we:\nI.         Determined Government requirements and industry best practices1 for software license\n           management.\n           A. Reviewed Government requirements and industry best practices for software license\n              management and Government Accountability Office and TIGTA audit reports on\n              software license management.\n           B. Identified additional Government requirements for software license management that\n              applied to the management of server software licenses.\n           C. Identified additional industry best practices for software license management that\n              applied to the management of server software licenses.\n           D. Identified additional Government Accountability Office and TIGTA audit reports on\n              software license management that applied to the management of server software\n              licenses.\nII.        Determined if the IRS has developed adequate policies, procedures, roles, and\n           responsibilities for the management of server software licenses.\n           A. Determined if the IRS has an enterprise-wide policy for server software license\n              management that is consistent with Government requirements and industry best\n              practices.\n           B. Determined if the IRS has enterprise-wide procedures for server software license\n              management that are consistent with Government requirements and industry best\n              practices. For example, procedures should cover 1) centralized inventories with\n              licensing data, 2) using tools for discovering installed software and monitoring\n              software use, 3) reconciling reports from tools with software license records,\n              4) monitoring the use of deployed licenses, and 5) using software licensing data to\n              better negotiate software license purchases and maintenance agreements with\n              vendors.\n           C. Determined if the IRS has enterprise-wide roles and responsibilities for server\n              software license management that are consistent with Government requirements and\n\n1\n    See Appendix V for a glossary of terms.\n                                                                                            Page 18\n\x0c                         The Internal Revenue Service Should Improve\n                     Server Software Asset Management and Reduce Costs\n\n\n\n          industry best practices and if the IRS has assigned roles and responsibilities for all\n          software license management procedures.\n       D. Determined if the Enterprise Operations organization has local policies, procedures,\n          and roles and responsibilities for server software license management that are\n          consistent with Government requirements and industry best practices.\n       E. Determined if the IRS\xe2\x80\x99s policies, procedures, and roles and responsibilities establish a\n          centralized, rather than decentralized, organization and structure for server software\n          license management.\nIII.   Determined if the IRS has a centralized server licensing inventory and manages and\n       maintains the inventory with software tools designed for license management.\n       A. Determined if the IRS has a centralized inventory of server software including\n          licensing data.\n       B. Determined if the IRS adequately uses tools for discovering installed software and\n          monitoring software use.\n          1. Determined how frequently the IRS performs server software discovery and\n             software use scans and generates management reports.\n          2. Determined if the IRS\xe2\x80\x99s scans are capable of detecting 1) unauthorized\n             (unlicensed) software installed, 2) the deployment of more licenses than were\n             bought, 3) the deployment of significantly fewer licenses than were bought, and\n             4) deployed licenses that are not being used and can be harvested and reissued to\n             other users or servers.\n          3. Determined if the IRS uses server software licensing reports from the discovery\n             tool to reconcile known software and licenses against discovery results and to\n             resolve exceptions or noncompliance with software licenses.\n          4. Determined if the IRS uses server software and license inventory data to better\n             negotiate, package, and consolidate software license purchases, renewals, and\n             maintenance with vendors.\nIV.    Determined if the IRS is adequately managing software licenses by reviewing a selection\n       of server software products.\n       A. Determined the inventory data the IRS has on its server software products and how it\n          could be used to select software products to review the IRS\xe2\x80\x99s software license\n          management.\n       B. With a goal to illustrate the effect of the current IRS processes in place to track and\n          manage software licenses, we chose to select a subset of 24 software products for\n          review. Because the IRS did not have a complete centralized inventory of its\n\n                                                                                           Page 19\n\x0c                 The Internal Revenue Service Should Improve\n             Server Software Asset Management and Reduce Costs\n\n\n\n   software, including licensing data, three lists of software products were used to select\n   the server software products. The Enterprise Standards Profile is a portfolio of all\n   (enterprise-wide) approved commercial off-the-shelf software products that have been\n   tested and approved for use on IRS computers. The IRS may or may not choose to go\n   forward with purchasing and installing the products on this list. Because of this,\n   100 server software products were randomly selected from the Enterprise Standards\n   Profile as potential cases. To better refine the potential cases, two additional lists\n   from the IRS were used: 1) software installed on IRS computers as identified via IRS\n   network scans and 2) software purchased as identified from several recordkeeping\n   systems. If any of the 100 software products selected from the Enterprise Standards\n   Profile could not be identified on either of these two sources, it was removed from the\n   list of potential cases. From the 34 potential cases identified through this process,\n   information was requested and received from the IRS for 24 software products. One\n   product of the 24 was deleted as it was determined that the license for this product\n   was not owned by the IRS.\nC. On each software product reviewed, 1) obtained the software licensing agreement or\n   other documentation that named and explained the licensing metric, 2) reviewed\n   software purchase documents, 3) reviewed records used by the IRS to manage and\n   track the deployment of software licenses, and 4) determined the scope of the IRS\xe2\x80\x99s\n   software licensing management and tracking activities.\nD. On each software product reviewed, obtained additional documentation and\n   interviewed IRS employees as necessary to substantiate the accuracy of the software\n   licensing data being managed and tracked.\nE. On each software product reviewed, determined if the IRS was managing and\n   tracking licenses for 1) the deployment of more licenses than were bought, 2) the\n   deployment of significantly fewer licenses than were bought, 3) deployed licenses\n   that were not being used and could be harvested and reissued to other users or\n   computers, and 4) any other software license management activities that the IRS\n   could be doing based upon comparison with other reviewed products. We also\n   calculated the estimated costs of license overdeployment and underdeployment.\nF. On each software product reviewed, determined how exceptions or noncompliance\n   with software licenses are resolved.\nG. On each software product reviewed that was for annual software renewal or\n   maintenance, determined if the number of software licenses that maintenance was\n   purchased for was the minimum needed based on data that tracked the license\n   deployment history of the software product.\n\n\n\n\n                                                                                  Page 20\n\x0c                          The Internal Revenue Service Should Improve\n                      Server Software Asset Management and Reduce Costs\n\n\n\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined that the\nfollowing internal controls were relevant to our audit objective: the IT organization\xe2\x80\x99s policies,\nprocedures, and processes for managing and tracking software licenses. We evaluated these\ncontrols by interviewing IT organization management, identifying Federal requirements and\nindustry best practices for managing and tracking software licenses, and reviewing software\nlicense management and tracking on a selection of server software products.\n\n\n\n\n                                                                                           Page 21\n\x0c                        The Internal Revenue Service Should Improve\n                    Server Software Asset Management and Reduce Costs\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nJohn Ledford, Audit Manager\nRichard Borst, Lead Auditor\nGeorge Franklin, Senior Auditor\nRyan Perry, Senior Auditor\nKasey Koontz, Auditor\n\n\n\n\n                                                                                     Page 22\n\x0c                       The Internal Revenue Service Should Improve\n                   Server Software Asset Management and Reduce Costs\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nDirector, Vendor Contract Management OS:CTO:SP:VCM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                             Page 23\n\x0c                               The Internal Revenue Service Should Improve\n                           Server Software Asset Management and Reduce Costs\n\n\n\n                                                                                   Appendix IV\n\n                                       Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective action will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7     Inefficient Use of Resources \xe2\x80\x93 Potential; $97.8 million midpoint of the range (ranging from\n      $81.4 million to $114.1 million) (see page 4).\n\nMethodology Used to Measure the Reported Benefit:\nOn behalf of IBM, a third-party contractor conducted a compliance review of the IRS\xe2\x80\x99s software\nlicense agreements1 associated with its IBM software contract. The review produced lists of\nsoftware with data on the number of licenses that had been nondeployed, underdeployed, and\noverdeployed. The IBM contract in effect when the compliance review was performed did not\ninclude itemized pricing information that TIGTA could use to determine the exact cost of the\nnondeployed, underdeployed, and overdeployed licenses and related software and subscription\nsupport. Therefore, we used the 2012 IBM GSA Price List, the only itemized pricing\ninformation available, to estimate the cost with the exception of a small number of software\nproducts for which we could not match to a GSA price.\nAlso, IRS management stated that because the IRS is a large purchaser of IBM software it pays\n30 percent less than the GSA price, which could potentially affect the estimated value of license\nnondeployment, underdeployment, and overdeployment. The IRS was unable to provide\ndocumentation showing that such discounts occurred for the software in our analysis; however,\nto account for this possibility, we show the potential discounted amount in the range.\nBased on the compliance review, GSA prices, and IRS comment, we determined that the IRS\nhad:\n      \xef\x82\xb7    Purchased but not deployed software licenses and related software and subscription\n           support on 43 IBM server software products at the time of the compliance review, at an\n           estimated range of value from $43.3 million to $62.0 million with a midpoint value of the\n           range at $52.7 million.\n\n\n\n1\n    See Appendix V for a glossary of terms.\n                                                                                            Page 24\n\x0c                         The Internal Revenue Service Should Improve\n                     Server Software Asset Management and Reduce Costs\n\n\n\n   \xef\x82\xb7   Deployed significantly fewer software licenses and related software and subscription\n       support than it purchased on 18 IBM server software products at the time of the\n       compliance review, at an estimated range of value from $32.8 million to $46.8 million\n       and a midpoint value of the range at $39.8 million. Our figures on license\n       underdeployments only include amounts in excess of 10 percent of the number of\n       licenses purchased.\nThese ranges could be lower or higher depending on the extent that the IRS had used the licenses\nprior to the compliance review. However, the IRS does not know if the software licenses were\never used. In addition to nondeployed and underdeployed licenses identified in the contractor\nreview, we found that licenses were underdeployed for eight of 23 server software products we\nreviewed, at an estimated cost of $5.3 million. This figure includes only the amount in excess of\n10 percent of the number of licenses purchased. To determine the extent that licenses were\nunderdeployed and overdeployed in the products we reviewed, we obtained requisitions and\npurchase orders to determine the number of licenses purchased, the number of licenses that\nmaintenance was purchased for, and the prices paid. We also obtained IRS license tracking\nreports or, if none were available, we requested the data needed, depending on the license metric,\nfor determining the number of licenses that had been deployed.\n\n\n\n\n                                                                                          Page 25\n\x0c                            The Internal Revenue Service Should Improve\n                        Server Software Asset Management and Reduce Costs\n\n\n\n                                                                                        Appendix V\n\n                                 Glossary of Terms\n\n              Term                                            Definition\nBest Practices                 Proven activities or processes that have been successfully used by\n                               multiple organizations.\nCampus                         The data processing arm of the IRS. The campuses process paper and\n                               electronic submissions, correct errors, and forward data to the\n                               Computing Centers for analysis and posting to taxpayer accounts.\nEnterprise Operations          The part of the IRS IT organization that provides server and mainframe\nOrganization                   computing services for all IRS business entities and taxpayers.\nExecutive Orders               Legally binding orders given by the President, acting as the head of the\n                               Executive Branch, to Federal Administrative Agencies. Executive\n                               Orders are generally used to direct Federal agencies and officials in their\n                               execution of congressionally established laws or policies.\nExecutive Order 13103,         Requires Federal agencies to develop software license management\nComputer Software Piracy       policies and procedures. It also requires Federal agencies to prepare\n                               inventories of software present on computers to help ensure that\n                               software is used in compliance with copyright laws.\nExecutive Order 13589,         Requires Federal agencies to take inventory of their information\nPromoting Efficient Spending   technology assets and ensure that they are not paying for nondeployed\n                               or underdeployed installed software.\nFederal Chief Information      As the principal interagency forum on Federal information technology,\nOfficer Council                the purpose of the Federal Chief Information Officer Council is to foster\n                               collaboration among Federal Government Chief Information Officers in\n                               strengthening Governmentwide information technology management\n                               practices.\nFiscal Year                    Any yearly accounting period, regardless of its relationship to a calendar\n                               year. The Federal Government\xe2\x80\x99s fiscal year begins on October 1 and\n                               ends on September 30.\nForrester Research Inc.        A global research and advisory firm that provides research guidance to\n                               the information technology industry.\nGovernment Accountability      The audit, evaluation, and investigative arm of Congress that provides\nOffice                         analyses, recommendations, and other assistance to help Congress make\n                               informed oversight, policy, and funding decisions.\n\n                                                                                                 Page 26\n\x0c                           The Internal Revenue Service Should Improve\n                       Server Software Asset Management and Reduce Costs\n\n\n\n           Term                                                 Definition\nInformation Technology           Provides guidelines for the use and management of software and\nInfrastructure Library (ITIL\xc2\xae)   licenses.\n                                 The ITIL is a widely accepted set of concepts and practices for\n                                 information technology service management derived from user and\n                                 vendor experts in both the private and public sectors. The ITIL focuses\n                                 on the key service management principles pertaining to service strategy,\n                                 service design, service transition, service operation, and continual\n                                 service improvement, with each principle being covered in a separate\n                                 ITIL core publication. Software asset management is a key process\n                                 described within the service transition core publication. The ITIL also\n                                 has a separate publication entitled Best Practice Software Asset\n                                 Management that covers software asset and license management best\n                                 practices in more depth than the core publication. ITIL best practices\n                                 recommend 1) the development of software license management\n                                 policies and procedures and roles and responsibilities; 2) a centralized,\n                                 enterprise-wide management structure for software asset management;\n                                 3) the use of software license management tools; and 4) the creation and\n                                 maintenance of accurate enterprise-wide inventories of software\n                                 licenses.\nInformation Technology           Maturity levels refer to an IT organization\xe2\x80\x99s ability to perform. An\nInfrastructure Library (ITIL)    organization passes through the following five evolutionary levels as it\nMaturity Levels                  becomes more competent:\n                                 Level 1: Initial \xe2\x80\x93 Focuses on technology and technology\n                                 excellence/experts.\n                                 Level 2: Repeatable \xe2\x80\x93 Focuses on products/services and operational\n                                 processes (e.g., Service Support).\n                                 Level 3: Defined \xe2\x80\x93 Focuses on the customer and proper\n                                 service-level management.\n                                 Level 4: Managed \xe2\x80\x93 Focuses on business/information technology\n                                 alignment.\n                                 Level 5: Optimized \xe2\x80\x93 Focuses on value and the seamless integration of\n                                 information technology into the business and strategy making.\nInformation Technology           The IRS organization responsible for delivering information technology\nOrganization                     services and solutions that drive effective tax administration to ensure\n                                 public confidence.\n\n\n\n\n                                                                                                  Page 27\n\x0c                          The Internal Revenue Service Should Improve\n                      Server Software Asset Management and Reduce Costs\n\n\n\n             Term                                             Definition\nNational Institute of           A part of the Department of Commerce that is responsible for\nStandards and Technology        developing standards and guidelines for providing adequate information\n                                security for all Federal Government agency operations and assets.\nNational Institute of           Requires that Federal agencies employ tracking systems, such as\nStandards and Technology        specialized fully automated applications depending on the needs of the\nSpecial Publication             organization, for software protected by quantity licenses to control\n800-53, Recommended             copying and distribution and to help ensure that software is used in\nSecurity Controls for Federal   accordance with licensing agreements.\nInformation Systems and\nOrganizations\nSharePoint                      Microsoft SharePoint is a collection of products and software elements\n                                that includes web browser-based collaboration functions and a document\n                                management platform. SharePoint can be used to host web sites that\n                                access shared workspaces, information stores, and documents.\nSoftware License Agreement      The legal contract between the owner and purchaser of a piece of\n                                software that establishes the purchaser\xe2\x80\x99s rights. A software license\n                                agreement provides details and limitations on where, how, how often,\n                                and when the software can be installed and used, and provides\n                                restrictions that are imposed on the software. The agreement includes\n                                the licensing model that will be used for defining and measuring the use\n                                of the software. For example, a common simple license model could be\n                                based on how many people can use the software and how many systems\n                                the software may be installed on. Software companies also make special\n                                license agreements for large business and Government entities that may\n                                be different from those provided to the general consumer.\nTreasury Directive              Requires that bureaus periodically scan their networks to detect and\nPublication 85-01, Treasury     remove any unauthorized or unlicensed software.\nIT Security Program\nTreasury Directive 85-02,       Issued to implement Executive Order 13103 and requires that bureaus\nSoftware Piracy Policy          establish and maintain an accurate software inventory to help ensure that\n                                software is used in accordance with software license agreements.\n                                                    \xc2\xa0\n\n\n\n\n                                                                                                 Page 28\n\x0c          The Internal Revenue Service Should Improve\n      Server Software Asset Management and Reduce Costs\n\n\n\n                                                Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                      Page 29\n\x0c    The Internal Revenue Service Should Improve\nServer Software Asset Management and Reduce Costs\n\n\n\n\n                                                Page 30\n\x0c    The Internal Revenue Service Should Improve\nServer Software Asset Management and Reduce Costs\n\n\n\n\n                                                Page 31\n\x0c    The Internal Revenue Service Should Improve\nServer Software Asset Management and Reduce Costs\n\n\n\n\n                                                Page 32\n\x0c    The Internal Revenue Service Should Improve\nServer Software Asset Management and Reduce Costs\n\n\n\n\n                                                Page 33\n\x0c'